View previous topic :: View next topic |
Author |
Message |
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Sun Mar 02, 2008 10:21 am Post subject: 2.6.24-zen4-pax "speed meets security Redux" |
|
|
Hi ladies & gentlement,
(this is split out of the zen-sources thread):
kernelOfTruth wrote: | anyone interested in an pax-patch for 2.6.24-zen4 ? |
update:
sorry, no patch , the patch I created was 140 MB big
so here's the zen-sources tarball with grsecurity's pax-patch (http://www.grsecurity.com/test/pax-linux-2.6.24.3-test31.patch) [February 29 2008 12:15:15],
zen-sources' state should be from commit: 04d280d4e981b4a2b3a14eae36aa7a0796566163
kudos to spender for his great work for making linux more secure, waninkoko, rmh3093, and all the others involved in zen-sources
"speed meets security Redux"
Link to the tarball: linux-2.6.24-zen4_pax.tbz2
Instruction:
1.) compile in softmode-support, then
if you need to install apps, scan something with xsane ,etc etc which doesn't work with pax:
temporarily disable pax by echoing "1" to
/proc/sys/kernel/pax/softmode
Code: |
echo "1" > /proc/sys/kernel/pax/softmode |
output of paxtest with pax enabled:
Quote: | Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 40 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : 33 bits (guessed)
Main executable randomisation (ET_DYN) : 33 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed |
output of paxtest with softmode enabled:
Quote: | Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 29 bits (guessed)
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : 33 bits (guessed)
Main executable randomisation (ET_DYN) : 29 bits (guessed)
Shared library randomisation test : 29 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
|
2.) if you have problems with nvidia-drivers try the following:
https://forums.gentoo.org/viewtopic-t-577637-highlight-.html
3.) to find out, which files were altered by me:
go to the directory where the tarball got extracted then:
have fun
Disclaimer:
I take no responsibility if it kills your data, your kittens, pulls away your girlfriend or anything else
I've tested it on amd64 system with gcc 4.2.3 hardened gcc and glibc 2.7 & currently am using it for all my sensitive data, so it should be fine
no guarantee it will work on x86 however [if it works on amd64 it however should at least boot on x86] _________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004
Last edited by kernelOfTruth on Sun Mar 02, 2008 10:29 am; edited 2 times in total |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
lightseeker n00b
Joined: 23 Jun 2007 Posts: 18 Location: Smederevo, Serbia
|
Posted: Mon Mar 03, 2008 4:18 am Post subject: |
|
|
Hi!
I've managed to compile and install "Redux" , but I have problems starting X when using ati-drivers 8.02 (and yes, I've
disabled pax like you suggested).
Xorg.0.log says
Code: |
(II) Loading /usr/lib/xorg/modules//glesx.so
dlopen: /usr/lib/xorg/modules//glesx.so: cannot make segment writable for relocation: Permission denied
(EE) Failed to load /usr/lib/xorg/modules//glesx.so
|
Any hints ?
Many thanks in advance. |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Mon Mar 03, 2008 10:26 am Post subject: |
|
|
lightseeker wrote: | Hi!
I've managed to compile and install "Redux" , but I have problems starting X when using ati-drivers 8.02 (and yes, I've
disabled pax like you suggested).
Xorg.0.log says
Code: |
(II) Loading /usr/lib/xorg/modules//glesx.so
dlopen: /usr/lib/xorg/modules//glesx.so: cannot make segment writable for relocation: Permission denied
(EE) Failed to load /usr/lib/xorg/modules//glesx.so
|
Any hints ?
Many thanks in advance. |
nice
I actually never really got ati-drivers to work in the last years with pax
you need to Code: | emerge chpax paxctl | then you can play with those files producing problems:
Quote: | paxctl --help
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
usage: paxctl <options> <files>
options:
-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC
-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
-C: create PT_PAX_FLAGS (see manpage!) |
e.g.
or Quote: | chpax --help
chpax 0.7 .::. Manage PaX flags for binaries
Usage: chpax OPTIONS FILE1 FILE2 FILEN ...
-P enforce paging based non-executable pages
-p do not enforce paging based non-executable pages
-E emulate trampolines
-e do not emulate trampolines
-M restrict mprotect()
-m do not restrict mprotect()
-R randomize mmap() base [ELF only]
-r do not randomize mmap() base [ELF only]
-X randomize ET_EXEC base [ELF only]
-x do not randomize ET_EXEC base [ELF only]
-S enforce segmentation based non-executable pages
-s do not enforce segmentation based non-executable pages
-v view current flag mask
-z zero flag mask (next flags still apply)
The flags only have effect when running the patched Linux kernel. |
you can try to disable all of them in the beginning, but often disabling mprotect ( ) or () should suffice
if you're not running hardened profile you might need to recompile your system with PIC-support
references:
http://www.gentoo.org/proj/en/hardened/ _________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
Back to top |
|
|
lightseeker n00b
Joined: 23 Jun 2007 Posts: 18 Location: Smederevo, Serbia
|
Posted: Tue Mar 04, 2008 1:55 pm Post subject: |
|
|
Hi!
Thanks for the reply kernelOfThruth.
I am running hardened, well, sort of. I'm not using hardened profile, but hardened toolchain (gcc 4.2.2 pie/ssp and stuff from Kevin Quinn's overlay) and ~x86.
Anyway, I've played with paxctl, but X still refuses to start. I've managed to disable all flags for Xorg, but I get the same error as before. As for /usr/lib/xorg/modules/glesx.so paxctl refuses to do anything, complaining that file does not have vaild ELF header an refuses to convert it or apply any changes to the binary.
Thanks anyway man , I've learned a lot of usefull new stuff about gentoo, and will try to "convert" my laptop later this week.
Cheers |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
obrut<- Apprentice
Joined: 01 Apr 2005 Posts: 183 Location: near hamburg, germany
|
Posted: Tue Apr 01, 2008 4:47 pm Post subject: |
|
|
hi!
unfortunately your link is now invalid. can i get it elsewhere?
tia |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
obrut<- Apprentice
Joined: 01 Apr 2005 Posts: 183 Location: near hamburg, germany
|
Posted: Tue Apr 01, 2008 11:36 pm Post subject: |
|
|
muchas gracias!
mirror1 works, mirror2 doesn't. it gives me Quote: | Forbidden
You don't have permission to access /zen-sources_pax/linux-2.6.24-zen4_pax-r2.tbz2 on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. |
|
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
lightseeker n00b
Joined: 23 Jun 2007 Posts: 18 Location: Smederevo, Serbia
|
Posted: Wed Apr 02, 2008 7:35 pm Post subject: |
|
|
Hi!
I'm still using your "older" release on my laptop and it works like a charm
But today I tried compilng this new hot stuff and it gave me this
Code: |
ERROR: "sqlzma_fin" [fs/squashfs/squashfs.ko] undefined!
ERROR: "sqlzma_un" [fs/squashfs/squashfs.ko] undefined!
ERROR: "sqlzma_init" [fs/squashfs/squashfs.ko] undefined!
|
Squashfs/lzma compiles ok on "pure" zen sources checkout (from last week or so)
Many thanks in advance man. |
|
Back to top |
|
|
obrut<- Apprentice
Joined: 01 Apr 2005 Posts: 183 Location: near hamburg, germany
|
Posted: Wed Apr 02, 2008 8:06 pm Post subject: |
|
|
my laptop just won't boot. kernel displays nothing but command line, kernel and initrd size and address (?) and hangs. tomorrow i'll look into it hoping to find the error. |
|
Back to top |
|
|
lightseeker n00b
Joined: 23 Jun 2007 Posts: 18 Location: Smederevo, Serbia
|
Posted: Thu Apr 03, 2008 12:15 am Post subject: |
|
|
Ok, silly me.
I just saw that "redux" is based on 2.6.24-zen4 (squashfs/lzma was broken there too, right ? ). I have zen5, and squashfs works there. No biggie
@kernelOfTruth are you still using this pax patch: http://www.grsecurity.com/test/pax-linux-2.6.24.3-test31.patch ?
I'd like to try to apply it myself.
Thanks.
@obrut<-: Good luck, man. Older version works fine for me. |
|
Back to top |
|
|
obrut<- Apprentice
Joined: 01 Apr 2005 Posts: 183 Location: near hamburg, germany
|
Posted: Fri Apr 04, 2008 12:19 pm Post subject: |
|
|
i tried disabling some things i've never found in gentoo-sources (automatic optimisation for example), but i won't get a "kernel alive" after grub loaded the kernel. i hoped i could test pax without waiting for hardened 2.6.24. older kernels wouldn't work because i need xts cipher mode for my encrypted harddisk. want to see if my 4.2.3 gcc with hardened patches does what it should.
@ lightseeker:
thanks |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Fri Apr 04, 2008 12:53 pm Post subject: |
|
|
@lightseeker:
yeah, I'm still using that patch
just go ahead
beware: googleearth and some other 32bit- opengl apps don't work under amd64 (yet <-- I don't have the time to investigate what pax-flags need to be relaxed)
Quote: | i tried disabling some things i've never found in gentoo-sources (automatic optimisation for example), but i won't get a "kernel alive" after grub loaded the kernel. i hoped i could test pax without waiting for hardened 2.6.24. older kernels wouldn't work because i need xts cipher mode for my encrypted harddisk. want to see if my 4.2.3 gcc with hardened patches does what it should. |
sorry, no idea what might prevent your system from booting, like lightseeker suggest, please try the earlier release
good luck _________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Sun Apr 06, 2008 10:06 pm Post subject: |
|
|
here a set of "testing" flags for zen-sources (copy & paste !):
Code: | #
# Custom flags
#
CONFIG_CUSTOM_CFLAGS="-O2 -ftree-pre -ftree-ch -fomit-frame-pointer -freorder-blocks -freorder-blocks-and-partition -fearly-inlining -ffunction-cse -fgcse-sm -fgcse-las -fgcse-after-reload -fno-ident -fstack-protector -march=native -fforce-addr -maccumulate-outgoing-args -msse3 -minline-all-stringops -mno-align-stringops -combine -s -pipe --param max-gcse-passes=8 -fmodulo-sched -freschedule-modulo-scheduled-loops -ftree-loop-im -ftree-loop-ivcanon -fivopts -funroll-loops -fsplit-ivs-in-unroller -fvariable-expansion-in-unroller -fpeel-loops -funswitch-loops -fprefetch-loop-arrays -fpie -D_FORTIFY_SOURCE=2"
CONFIG_CUSTOM_LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common -pie"
CONFIG_CUSTOM_AFLAGS=""
CONFIG_CUSTOM_MAKEFLAGS="-S" |
adjust flags to your liking but leave -pie, -fstack-protector and FORTIFY_SOURCE=2 in it (== randomisation)
this way you'll always get the latest & greatest of zen-sources and still have (semi-)maximum protection (without pax or grsecurity ! ),
in this case even flash, googleearth, mono-apps & wine-apps, 32-bit 3D-apps work
only requirement is a hardened gcc-compiler / toolchain
Quote: | Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 28 bits (guessed)
Heap randomisation test (ET_EXEC) : 28 bits (guessed)
Heap randomisation test (ET_DYN) : 28 bits (guessed)
Main executable randomisation (ET_EXEC) : 28 bits (guessed)
Main executable randomisation (ET_DYN) : 28 bits (guessed)
Shared library randomisation test : 28 bits (guessed)
Stack randomisation test (SEGMEXEC) : 28 bits (guessed)
Stack randomisation test (PAGEEXEC) : 28 bits (guessed)
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed |
_________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
Back to top |
|
|
lightseeker n00b
Joined: 23 Jun 2007 Posts: 18 Location: Smederevo, Serbia
|
Posted: Sun Apr 13, 2008 2:12 pm Post subject: |
|
|
Hi!
@kernelOfTruth: I don't quite understand . Wouldn't that just "harden" the kernel itself, not the userland and stuff ?
BTW, I've managed to apply pax patch to zen5 (man that was hard), so if anyone's interested I can upload it somewhere.
:bye: _________________ --- "Sungod, bless me with your rays..." --- |
|
Back to top |
|
|
|